System and Methods for Path-Aware and Path-Assured Secure Virtual Private Lines and Secure Network Slices using Enhanced Digital Certificates in Multi-Vendor Multi-Domain Networks
Abstract
Methods of configuring path-aware point to point secure network private lines over multi-domain, multi-operator virtual and physical networks through network elements that are compliant with PKI Digital Certificates (eDC) with metadata enhancements are disclosed. Secure Network Slices (SNS) may then be constructed by interconnecting SVPLs through a network aggregation device such as switch/bridge/router which allows different network policies on different segments of the network. A Digital Trust Broker is disclosed that bridges between multiple Authentication/Authorization frameworks of an enterprise and the security frameworks of multiple operators and service providers that provide Secure Virtual Private lines and Secure Network Slices. Additionally, the methods that identify that any traffic exchange with internet or between differing levels of SNS or SVPLs go through enhanced security bridge that enforces policies of high security enterprise are also disclosed.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method of creating a Secure Network Slice, which is a multi-point secure network, comprising:
creating a plurality of secure virtual private lines, wherein creating each secure virtual private lines comprises:
determining one or more forwarding paths through the network that connects two points;
querying each network device along each of the one or more forwarding paths to determine if each network device is trust assured and comprises an enhanced digital certificate, wherein the enhanced digital certificate comprises metadata regarding a provenance of the network device;
defining the secure virtual private line as a forwarding path between the two points wherein each network device in the forwarding path has an enhanced digital certificate having desired parameters; and
using an aggregation device to connect two or more secure virtual private lines to create the Secure Network Slice.
2 . The method of claim 1 , wherein the multi-point secure network comprises at least one of an enterprise network, a cloud provider, a communications service provider, a SDN, physical/virtual network segment, a 5G radio access network and a 5G core network.
3 . The method of claim 1 , wherein the metadata is selected from the group consisting of hardware or software make; hardware or software model or release; a region where the network device is manufactured; and a location where the network device is manufactured.
4 . The method of claim 1 , wherein the metadata comprises geolocation information regarding where the network device is deployed.
5 . The method of claim 1 , wherein the metadata comprises a list of security policies supported by the network device.
6 . The method of claim 1 , wherein the two of more secure virtual private lines are at different security levels and the aggregation device comprises an enhanced security bridge.
7 . The method of claim 1 , wherein a mobile device is configured to access the secure network slice, and the mobile device comprises an enhanced digital certificate and authenticates a user of the mobile device prior to allowing access to the secure network slice.
8 . The method of claim 7 , wherein the user is authenticated using at least one of multi-part authentication, device screen lock pass code, speaker recognition, fingerprint recognition, and facial recognition.
9 . A method of maintaining security in a Secure Network Slice, which is a multi-point secure network, comprising:
creating a Secure Network Slice, wherein the Secure Network Slice includes an enhanced security bridge, wherein the enhanced security bridge serves an interface between other devices in the Secure Network Slice and the internet; and forcing any traffic from the Secure Network Slice to or from the internet to pass through the enhanced security bridge.
10 . The method of claim 9 , wherein the enhanced security bridge is configured to perform deep packet inspection.
11 . The method of claim 9 , wherein the enhanced security bridge only allows traffic at a certain security level to access the internet.
12 . The method of claim 9 , wherein the enhanced security bridge allows only certain end points to access the internet.
13 . A Digital Trust Broker, comprising a plurality of functional software modules;
wherein the Digital Trust Broker is adapted to interact with an Operations and Management Platform (OMP) associated with an external operator to create and maintain a Secure Network Slice, wherein the Secure Network Slice is a logical network in a multi-domain network.
14 . The Digital Trust Broker of claim 13 , wherein when a user session attempts to access the Secure Network Slice, the Digital Trust Broker validates the user.
15 . The Digital Trust Broker of claim 13 , wherein when a user session attempts to access the Secure Network Slice, the Digital Trust Broker interacts with consumer premise equipment (CPE) to obtain security policy metadata of a Slice Certificate, and based on the Slice Certificate, determines which applications and departments of an enterprise are allowed to access the Secure Network Slice.
16 . The Digital Trust Broker of claim 13 , wherein the Digital Trust Broker gathers device forwarding behavior for specific interfaces in the Secure Network Slice, and based on historical information, detects an anomaly in an operation of the device.
17 . The Digital Trust Broker of claim 16 , wherein the Digital Trust Broker monitors packet volume, byte volumes, frequency, IO Read, IO Activity generated during a session, for each client server interaction by a user and user device.
18 . The Digital Trust Broker of claim 13 , wherein, after the Secure Network Slice has been created, the Digital Trust Broker creates new transit paths due to configuration changes.
19 . The Digital Trust Broker of claim 13 , wherein, after the Secure Network Slice has been created, the Digital Trust Broker revalidates each device in the Secure Network Slice.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.